[Openid-specs-ab] Question about at_hash with EdDSA

Justin Richer jricher at mit.edu
Wed Jun 3 12:08:16 UTC 2020

Ah, thanks for the pointer! I didn’t see that in the issue tracker. That does answer my question and it looks like people came up with the same conclusions that I did. I didn’t realize the inputs for Ed448 though, so that’s good to know as well. Unfortunately this means we’ll need to change our implementation to take into account the key curve for this step, which is annoying but manageable.

 — Justin

> On Jun 2, 2020, at 5:24 PM, Brian Campbell <bcampbell at pingidentity.com> wrote:
> Not sure it's well-trodden exactly but https://bitbucket.org/openid/connect/issues/1125/_hash-algorithm-for-eddsa-id-tokens <https://bitbucket.org/openid/connect/issues/1125/_hash-algorithm-for-eddsa-id-tokens> has some treatment of the subject. 
> On Tue, Jun 2, 2020 at 3:09 PM Justin Richer via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
> I haven’t been able to find a clean answer for this, but apologies if this is well-trodden already. 
> The ODIC spec defines at_hash (and c_hash and others) as using "the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header”. This is clear enough for things like RS256 and the like.
> However, the definition of the “EdDSA” JOSE algorithm in RFC8037 (https://tools.ietf.org/html/rfc8037 <https://tools.ietf.org/html/rfc8037>) does not define a hash algorithm in the same way. Edwards signatures as defined in RFC8032 (https://tools.ietf.org/html/rfc8032 <https://tools.ietf.org/html/rfc8032>) seem to internally use SHA-512, but I’m not positive that’s every time or just in the case where you do the pre-hashing calculation. Regardless, the JOSE spec is silent on the matter. 
> So the question is: which hash algorithm do we use for an “EdDSA” signed token when calculating at_hash and its ilk?
>  — Justin
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20200603/9dd21506/attachment.html>

More information about the Openid-specs-ab mailing list